Creating a Policy for Electronic Records Management

BOB GREGBoardman & Clark LLP

In a previous blog post, I talked about the need for an effective policy and process for electronic records management. This is an undertaking that requires serious assessment – there is no cut and paste approach to doing this. While may struggle to find the time to do this, it is required, and failure to do so can result in massive court sanctions or summary judgment in the event of a dispute with a vendor, former employee, or business partner.

There are a number of good resources that can be good starting points in developing a policy. The American Records Management Association has its “Generally Accepted Recordkeeping Principals” model. International Organization for Standardization has ISO 15489-1 guidance. However, these are just the beginnings and are only a framework which must then tailored to your organization.

Things an Electronic Records Management Policy Must Address

When developing a policy and process for electronic records management, at a minimum, policies should cover:

Creation of records (including prohibitions on what not to have on the system)

Retention and security (including back-up storage media)

Retrieval

When and how to destroy.

Your process should comply with all relevant laws and regulations and with court discovery rules. Various laws require keeping records in different ways, so educate yourself on what’s required for your company and the type of data you’re storing.

Creation of Electronic Records

There are various laws addressing requirements about how information can be stored and with what level of security. Medical information, I-9s, personal identity information, customer financial dates and much more must be kept with security and confidentiality. Other records require no security.

Some records are "public" and must be kept open for all to access. The organization may have its own internal concern for trade secrets versus its "public" communication. It is important to know which are which and have coordinated protocols to assure each is generated and stored properly.

Retention and Retrieval of Electronic Records

There are different statutes of limitations regarding how long different types of records must be retained and requirements can vary from state to state. Labor records must be kept for at least two years, however, Worker's Compensation cases can have a 12-year statute of limitations. A contract can have a six-year statute of limitations. Hazardous chemical records may have to be kept forever.

Whatever your company’s situation, it is crucial to know requirements that apply.

Destruction of Electronic Records

Develop (and keep updated the specific protocols) for destruction for each category of records. There is a "safe harbor" in the discovery rules that eliminates penalties or sanctions if records are disposed of according to a written plan, which is followed consistently. This must be under the control of trained professionals and which allows sufficient time for anticipated claims to be filed before any destruction. Again, this should, at a minimum, track the basic statutes of limitation for various types of records and potential cases.

The records policy should specify who is responsible for retention and who has specific, and sole, authority to destroy each type of record. There should then be double checks before actual destruction.

Finally, records policies should not only address network storage, but should also account for data stored on individual personal computers and other devices.

Hold it! Freeze everything if there may be litigation.

You’re required to stop any deletion of records when you are "on notice" that there may be litigation. The obligation arises when there is any practical reason to believe future litigation might occur over an issue, not when there is an official summons or complaint.

The "may be" can be triggered by any dispute with a vendor or customer that goes beyond a casual disagreement (i.e., letters start to be exchanged over the issue), any letter from an attorney; anytime an employee is fired during economic times where the next job is hard to find; any accident causing personal injury or property damage.

These and more events should prompt one to freeze the system and inform all involved to not delete anything without authorization. Once "on notice," the hold should stop destruction of any relevant records for the duration of the litigation.

Review Your Electronic Records Management Program Annually

Technology changes and current decisions expand, or limit, the scope of records management requirements. Outdated management programs result in liability. Stay up to date!